Back to home

Signature Authentication

Secure your repositories with Ethereum signature-based authentication.

Generate Credential

Sign with your wallet

Ethereum Address

Connect your wallet to auto-fill

Success

Overview

grep3 uses Ethereum signatures to protect your repositories
Anyone can push to claim a new address on their first push
Once claimed, all subsequent pushes require proof of address ownership
One signature works for all repos under your address
Signatures are persistent and can be reused until revoked

How It Works

1 Get your challenge

Use the tool above or request a challenge via API. The challenge includes your address and a nonce.

API

curl https://git.grep3.com/auth/challenge/0xYourAddress

2 Sign the message

Sign the message field with your Ethereum wallet. The tool above handles this automatically.

3 Push with credentials

Use the generated credential as your git password (or username). The credential can be placed in either field. This same credential works for all repos under your address.

0x{signature}

Terminal

git push grep3 main
# When prompted:
# Username: anything (or paste credential here)
# Password: <paste credential>

Security

Signatures are persistent — sign once, push forever
One credential works for all repos under your address
Revoke signatures anytime by regenerating your nonce
Your private key never leaves your wallet
The server only verifies signatures, never stores them

First push

The first push to a new address does not require authentication. This allows anyone to claim an address. After the first push, all subsequent pushes to any repo under that address require signature authentication.

Revoking signatures

If you believe your signature has been compromised, you can revoke all existing signatures using the revoke API. This regenerates your nonce, invalidating any previously signed credentials for all repos under your address.

API Reference

GET /auth/challenge/:address

Returns a challenge to sign for authenticating pushes to any repo under this address.

Parameters:
:address - Your Ethereum address

Response (200): Challenge object with message to sign
Response (404): Address not found (no auth needed for first push)

POST /auth/revoke/:address

Revokes all existing signatures for an address by regenerating the nonce.

Parameters:
:address - Your Ethereum address

Request body:
{ "signature": "0x..." } - Signed message "grep3:revoke:{address}"

Response (200): Success + new challenge to sign
Response (401): Invalid signature
Response (404): Address not found